Problem/Motivation
- Now that we have SafeMarkup::escape(), which has more intelligence than String::checkPlain(), there's no reason not to use it within String::format().
- Doing so will allow '@' to be safely used for variables containing HTML without double-escaping.
Proposed resolution
See issue title and patch.
Remaining tasks
Review. Commit.
User interface changes
None.
API changes
Only a break for people who were passing already-escaped text/HTML as @ or % placeholder values and wanting that to get double-escaped. This is unlikely. Such places will now need to call String::checkPlain() themselves on those placeholders to achieve that double-escaping.
Beta phase evaluation
| Issue category | Task because D7 always escaped these placeholders, so it's not yet been decided to do otherwise. |
|---|---|
| Issue priority | Major because it allows easy fixing of many double-escaping bugs left throughout Drupal. |
| Disruption | Only disruptive for modules that are passing already escaped text and wanting it to get double escaped. They now need to be more explicit about wanting that. |